Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > Sharing Authentication Across ASP.NET Applications

Thread Tools

Sharing Authentication Across ASP.NET Applications

Tod Birdsall, MCSD for .NET
Posts: n/a
Hi All,

I have two ASP.NET applications which I am trying to have share forms
authentication. But I am running into problems.

App A is an ASP.NET 2.0 Beta 2 application. App B is an ASP.NET 1.1
application (Telligent's Community Server) compiled with VS.NET 2003.

App B runs in a virtual sub-directory of App A. Both applications run
fine. Both site's ASP.NET tabs are set appropriately (A = 2.0.5X B =

I have done a lot of research and I believe both applications are setup
to share the same authentication cookie.

Here are the steps I took:

1. Added identical <machineKey> to the root web.config of each app.

<!-- Keys shortened for brevity -->
validationKey="5FC1F907ADE8C5800DB3B1F195B8E...EAD FF5E78070CAA"
validation="3DES" />

2. Changed <authentication> in each root web.config to be identical.

<authentication mode="Forms">
<forms name=".CommunityServer"
protection="All" timeout="20"
path="/" />

3. In the App A web.config I added the following:

<location path="main">
<deny users="?" />

4. In the App B web.config I added the following:

<deny users="?" />

According to the sites I have read on how to do this, the above changes
should be enough. I try the following:

1. When attempting to get to the /main directory of App A, I am
redirected to the login.

2. I successfully login. Using Tracing, I can see that my
..CommmunityServer cookie has been set.

3. I attempt to get to the virtual sub-directory (App B). I am
redirected to the login page.
4. Without logging in again, I go to the /main directory of App A and I
get there without being redirected. Viewing the Tracing output on the
page, I can see that my cookie is still set.

I have put the following code into the Application_AuthenticateRequest
event handler of App B's Global.asax file:

----------BEGIN CODE-------------------------
protected void Application_AuthenticateRequest(Object sender, EventArgs
bool cookieFound = false;

HttpCookie authCookie = null;
HttpCookie cookie;
string cookieNames = "";
for(int i=0; i < Request.Cookies.Count; i++)
cookie = Request.Cookies[i];

cookieNames = cookieNames + cookie.Name + "\n";
if (cookie.Name == FormsAuthentication.FormsCookieName)
cookieFound = true;
authCookie = cookie;

// If the cookie has been found, it means it has been issued from
// the windows authorisation site, is this forms auth site.
if (cookieFound)
// Extract the roles from the cookie, and assign to our current
principal, which is attached to the
// HttpContext.
FormsAuthenticationTicket winAuthTicket =
string[] roles = winAuthTicket.UserData.Split(';');
FormsIdentity formsId = new FormsIdentity(winAuthTicket);
GenericPrincipal princ = new GenericPrincipal(formsId,roles);
HttpContext.Current.User = princ;
// No cookie found, we can redirect to the Windows auth site if we
want, or let it pass through so
// that the forms auth system redirects to the logon page for us.
throw new ApplicationException(@"Invalid login from here.
FormsCookieName:" + FormsAuthentication.FormsCookieName + "\n" +
"CookieNames:" + cookieNames+ "\n");

-----------------END CODE----------------------------

The cookie with the name ".CommunityServer" is found, but when the line
calling "FormsAuthentication.Decrypt(authCookie.Value) ;" executes, I
get the following error:

-----------BEGIN ERROR-------------------------------
Bad Data.
Description: An unhandled exception occurred during the execution of
the current web request. Please review the stack trace for more
information about the error and where it originated in the code.

Exception Details: System.Security.Cryptography.CryptographicExceptio n:
Bad Data.

Source Error:

Line 100: // HttpContext.
Line 101: //throw new ApplicationException("CookieName: " +
authCookie.Name + "\n" + authCookie.Value);
Line 102: FormsAuthenticationTicket winAuthTicket =
Line 103: string[] roles = winAuthTicket.UserData.Split(';');
Line 104: FormsIdentity formsId = new FormsIdentity(winAuthTicket);

Source File: c:\dev\cs_bsinterns\web\global.asax.cs Line: 102

Stack Trace:

[CryptographicException: Bad Data.
System.Security.Cryptography.CryptoAPITransform._D ecryptData(IntPtr
hKey, Byte[] rgb, Int32 ib, Int32 cb, Boolean fDone) +0

System.Security.Cryptography.CryptoAPITransform.Tr ansformFinalBlock(Byte[]
inputBuffer, Int32 inputOffset, Int32 inputCount) +805
System.Security.Cryptography.CryptoStream.FlushFin alBlock() +40
System.Web.Configuration.MachineKey.EncryptOrDecry ptData(Boolean
fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length) +139
System.Web.Security.FormsAuthentication.Decrypt(St ring
encryptedTicket) +114
CommunityServerWeb.Global.Application_Authenticate Request(Object
sender, EventArgs e) in c:\dev\cs_bsinterns\web\global.asax.cs:102

System.Web.SyncEventExecutionStep.System.Web.HttpA pplication+IExecutionStep.Execute()
System.Web.HttpApplication.ExecuteStep(IExecutionS tep step, Boolean&
completedSynchronously) +87

Version Information: Microsoft .NET Framework Version:1.1.4322.573;
ASP.NET Version:1.1.4322.573
-----------END ERROR---------------------------------

Any help that you can provide would be much appreciated. I have been
working on this issue for longer than I care state.

Thank you.

Tod Birdsall, MCSD for .NET

Reply With Quote
Tod Birdsall, MCSD for .NET
Posts: n/a
I was able to solve this issue with a workaround that uses a manualy
generated cookie rather than the cookie created by the
FormsAuthentication class.

If you need more details on this, please feel free to contact me
regarding it.

Tod Birdsall, MCSD for .NET

Reply With Quote

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Sharing session across applications Fresno Bob ASP .Net 3 01-15-2008 03:34 PM
Forms Authentication Across Applications =?Utf-8?B?RmFyaWJh?= ASP .Net 4 05-16-2007 10:34 PM
Sharing variables across 2 Applications Mothish K ASP .Net 3 06-15-2004 08:34 AM
Sharing Session variables across applications Cowboy \(Gregory A. Beamer\) ASP .Net 4 12-19-2003 06:49 AM
Forms authentication across multiple applications and framework versions JC ASP .Net 1 11-05-2003 11:59 PM